The Autonomous Agents for Intrusion Detection Group is composed
of a number of students and faculty within the CERIAS at Purdue University who are
interested in studying novel distributed methods of Intrusion
Detection.

Purpose of the Group

We address the problem of intrusion detection from a different
angle: instead of a monolithic Intrusion Detection System
(IDS) design, we propose a distributed architecture that
utilizes small independent entities, known as Agents, to
detect anomalous or malicious behavior. We think our design
has advantages over other architectures in terms of
scalability, efficiency, fault-tolerance, and
configurability.

Our purpose is to study the approach mentioned above by building
systems that use it and measuring their performance and
detection capabilities. By doing this, we expect to be able to
discover the capabilities and limitations of the agent-based
approach when applied to real systems.

Current status

The first complete specification of the AAFID architecture has
been finished and proposed in a paper.
On the implementation front, the second release of the system
implemented using the AAFID architecture, called AAFID2, has been released to the public.

The
second release of the AAFID2 prototype has been released to the public!
(Sep 7, 1999)

The latest implementation of a system that adheres to the AAFID
architecture is called AAFID2. It is the second implementation of
such a system, and the first one to be made available, both to the
sponsors of the project and to the public.

AAFID2 is implemented completely in Perl5, which makes it easy to
install and run it, and to port it to different systems. It has
only been tested on Unix machines, but we are in the process of
porting it to Windows NT as well.
The purpose of AAFID2 is to make it easy to experiment with the
AAFID architecture. To that end, it has been made extremely
flexible and configurable. It was developed using the
object-oriented programming features of Perl5, which makes code
reuse easy. The base infrastructure of AAFID2 includes most of the
essential facilities for developing new entities, be them
monitors, transceivers, agents or filters. AAFID2 also includes
a code generation tool for developing new agents.
More information can be found in the announcement.

Jai Balasubramaniyan,
Jose Omar Garcia-Fernandez,
E. H. Spafford, and
Diego Zamboni,
Department of Computer Sciences,
Purdue University; Coast
TR 98-05; 1998.
This paper documents the AAFID architecture, describes some
of the experiences with the prototypes that have been
developed, and some thoughts for future development.

A framework and prototype for a distributed
Intrusion Detection System

Diego Zamboni and
E. H. Spafford.
Department of Computer Sciences;
1998.
This is the users guide for the AAFID2 prototype. It includes
how to use the programs included in the prototype, as well as
how to develop new agents for use with the system. Note:
The latest version of this document is available with the
distribution of the AAFID2 prototype.

Near-term goals

Currently, our main objective is to get user feedback from people
who use the AAFID2 prototype and use it to correct any problems or
make improvements to the prototype. We are also in the process of
developing as many new agents as possible, both to provide a good
base functionality with the prototype distribution and to test the
agent-development facilities included with AAFID2.

Related information

For more information about the origins of the AAFID project, about
intrusion detection and agents, we suggest the following links: